jvm ecosystem report 2018 - res.cloudinary.com · virtual jug, and to subscribers of java magazine,...
TRANSCRIPT
JVM Ecosystem Report 2018A snapshot of the JVM landscape
01
Table of contents
02 About your tools06 Which IDE do you develop with
07 Which build tool do you use for your main project
08 Which Static quality tools do you use
09 Do you use static security tools in your testing
10 Which CI Server do you use
11 Which Source Code Management platform does your team use for your main project
12 Which code repository do you use for your main project
13 Which private binaryartifact repository do you use
14 Which testing technologies do you use
About your JDK01 Which Java vendorrsquos JDK do you use in production for your
main applications
02 Which Java SE version do you use in production for your main application
03 How do you plan to respond to Javarsquos new release cycle
04 What Java EE version do you use for your main application
05 What is the main JVM language you use for your main application
03 About your platform15 Which cloud platforms do you use
16 Which cloud approaches do you use
17 Which continuous deployment or release automation tools do you use
04 About your application18 Which other (non-JVM) languages does your application use
19 Which Web Frameworks do you use
20 Which ORM frameworks do you use
21 Which database do you use in production
22 Which application server do you use in production for your main application
23 Do you develop on the same application server you use in production
24 How many open source (direct) dependencies does your main application have
05
Table of contents
06 About you27 Where do you do your development work
28 How would you describe yourself
29 How do you rank your security expertise
30 How old are you
31 How many years of paid professional experience with Java do you have
32 What is the size of your company
33 Where do you principally get information about Java online
34 Are you a member of a Java User Group (JUG)
35 How much do you contribute to open source
About your processes25 How often do you release new versions of your code
26 How often do you audit your code
4All rights reserved 2018 copy Snyk amp Java Magazine
Welcome to the largest survey ever of Java developers
The data presented in the following report was taken
from more than 10200 questionnaires If you were one
of those survey-takers many thanks to you for putting
aside the time to share your experience for the benefit of
others
The survey was conducted by publishing its availability to
the Java community at large (via social media primarily)
to Java User Groups around the world including the
Virtual JUG and to subscribers of Java Magazine the
Java bimonthly publication from Oracle Corp As an
inducement to complete the survey a contribution to
Devoxx4Kids was promised by the sponsors of the survey
Snyk and Oracle
Devoxx4Kids organizes events worldwide where children
can develop computer games program robots and also
have an introduction to electronics
Their goal is to introduce teenagers to programming
robotics and engineering in a fun way to show teenagers
that it is possible to do something more creative with
computers
Information regarding respondents including
geographical location company size of their employer (if
any) age and experience with Java are presented at the
end of this survey
We appreciate constructive feedback and comments
especially regarding our analysis If you would like to be
contacted to participate in any future installments of this
survey please let us know We hope you enjoy reading
this report and can glean some useful insights from its
findings
Simon MapleDirector of Developer Advocacy Snyk
simonsnykiosjmaple
Andrew BinstockEditor in Chief Java Magazine Oracle
javamag_usoraclecomplatypusguy
Introduction
5All rights reserved 2018 copy Snyk amp Java Magazine
TLDR Report HighlightsBefore we start this is a fairly long report so herersquos a TLDR overview of the main highlights
7 in 10 developers use the Oracle JDK in production
6 in 10 developers use Maven to build their main project
Almost 6 in 10 developers use Jenkins in CI
Almost 3 in 4 developers use Git as their SCM
Almost 8 in 10 developers use JUnit
4 in 10 developers use Spring Boot
Over 1 in 2 developers use Hibernate in their applications
4 in 10 developers use use Tomcat in production
19 in 20 developers use open source dependencies in their application
2 in 10 developers use OpenJDK in production
8 in 10 developers use Java SE version 8 in production
9 in 20 developers now use IntelliJ IDEA
8
Jenkins JUnit
01About your JDK
All rights reserved 2018 copy Snyk amp Java Magazine 7
01 Which Java vendorrsquos JDK do you use in production for your main applications
We start the report with a core question
With so many vendors providing their own
JDK implementations which offerings are
developers using in production for their
applications
We can see the dominance that Oracle JDK
and OpenJDK have over everyone else With 7
in 10 developers opting to use the Oracle JDK
and a further 2 in 10 opting for the OpenJDK
there isnrsquot much competition However
future licensing and support changes might
cause these numbers to change in the future
None
Other
Azul
Android SDK
Eclipse OpenJ9IBM J9
OpenJDK
Oracle JDK
70
21
42 1
1 1
All rights reserved 2018 copy Snyk amp Java Magazine 8
02 Which Java SE Version do you use in production for your main app
There were significant structural changes to the JDK in Java 9 which many predicted would affect
migration and adoption We can see from the results (note that the survey was open midway between
the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10
respondents say their main applications use it in production Equally significant is that fewer than half
the remaining non-Java 8 respondents are on a more recent version
79
40
0
10
20
30
40
50
60
70
80
49
3 1
11 EA109876 or lower We donrsquot
All rights reserved 2018 copy Snyk amp Java Magazine 9
03 How do you plan to respond to Javarsquos new release cycle
While the Java 9 release brought with it some major
architectural changes it also introduced a new
release cadence in which Java SE versions ship every
six months Every two to three years a Long Term
Support (LTS) release offers longer-term support
such as security updates and so forth Note that
Java 9 is not an LTS release This question asks how
development teams will respond to this new release
cadence The responses were varied suggesting there
is still some uncertainty about how to proceed In fact
almost 1 in 3 developers donrsquot yet know how they will
respond to the new release cycle
We expect that in the forthcoming year best practices
will emerge and companies will settle into a preferred
migration cycle which likely will vary considerably by
industry As a result we expect that the ldquoDonrsquot know
yetrdquo figure will drop but we donrsquot know which of the
other buckets will see increases
Donrsquot know yet
Stay with long-term support (LTS) releases
Decide on a release-by-release basis
Always stay on the latest version of Java
28
8
30
34
10All rights reserved 2018 copy Snyk amp Java Magazine
Almost 4 in 10 respondents claim they do not use
enterprise Java Of those who do the majority are
on version 7 Java EE 8 was released in September
2017 so itrsquos promising to see that within less than a
year of release it is almost the most popular version
Unlike Java SE a release of Java EE takes a
longer to be adopted because it takes longer for
implementations to become available
In addition app server vendors require time to
adopt and implement the specifications
Wersquoll be keen to see how these numbers shift as
Jakarta EE 8 begins its rollout and adoption We
should spare a thought for the 2 who are
struggling on J2EE--a version whose last major
release was in 2003
04 What Java EE version do you use for your main application
2
27
10
0
10
20
30
40
22
2
38
Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot
11All rights reserved 2018 copy Snyk amp Java Magazine
Exactly 9 in 10 JVM users are using Java for their
main applications While many projects today
are defined as multilanguage or polyglot the
part on the JVM primarily runs Java
Despite this strong preference for Java JVM-
based developers have consistently shown great
interest in other JVM languages as supported
by the popularity of articles about them in Java
Magazine and on major programming sites
For the last few years the emerging and ldquohotrdquo
JVM language has been Kotlin from JetBrains
which continues to make steady progress It is
now a supported language for development on
Android and it is the second major language for
writing scripts for the build tool Gradle (behind
Groovy) All this adoption has move Kotlin past
Scala and just past Groovy in our survey
The 30 figure for Clojure is remarkably high
and signals--to us at least--the continued interest
in functional programming The functional
orientation of many Java 8 features shows the
imprint of functional programming on Java itself
05 What is the main JVM language you use for your main application
90
300
242
236
183060
Java
Clojure
Kotlin
Groovy
Scala
Other
02About your tools
All rights reserved 2018 copy Snyk amp Java Magazine 13
06 Which IDE do you develop with
The graph here is consistent with other recent
surveys IntelliJ passing Eclipse in the last one
to two years and Apache NetBeans staying at
around 10 of the market The 45 total votes
of IntelliJ consist of 32 IntelliJ IDEA Ultimate
Edition (the paid version) 11 IntelliJ Community
Edition (the free version) and 2 Android Studio
users The Eclipse category includes Eclipse STS
JBoss tools Rational Application Developer and
other Eclipse-based tools
The numbers of Apache NetBeans users havenrsquot
altered much which suggests that the migration
from Oracle to the Apache Software Foundation
hasnrsquot affected its user base Itrsquos also worth
mentioning that Visual Studio Code has made an
appearance which although is only 1 shows itrsquos
starting to make its mark in the Java community
Also a tip of the hat to the lsquovivimemacsetcrsquo
group who are probably reading this report on a
tablet (carved out of stone)
3
38
11
0
10
20
30
40
45
1 1
ApacheNetBeans
EclipseIDE
IntelliJIDEA
ViVimEmacsetc
Visual StudioCode
OracleJDeveloper
PaidFree
All rights reserved 2018 copy Snyk amp Java Magazine 14
07 Which build tool do you use for your main project
In examining the numbers itrsquos important to note that we
asked for the principal build tool used We want to know
which build tool you rely on for your main project It can
also be interesting to know which build tools teams use
across all their projects but the plethora of answers tends
to dilute the usefulness of the responses As we can see
here Maven clearly dominates with a 31 ratio over itrsquos
closest rival Gradle Ant is still in use by 1 in 10 developers
whereas 1 in 20 use nothing
In a 2016 version of a similar survey by RebelLabs (2000
respondents) Maven stood at 68 and Gradle at 16
Gradlersquos improved adoption rate is due perhaps to the
addition of support for Kotlin as the scripting language
Gradle is also the default build engine for Android projects
However its progress against Maven has been slow
6
60
11
0
10
20
30
40
50
60
19
4
AntMaven Gradle NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
01
Table of contents
02 About your tools06 Which IDE do you develop with
07 Which build tool do you use for your main project
08 Which Static quality tools do you use
09 Do you use static security tools in your testing
10 Which CI Server do you use
11 Which Source Code Management platform does your team use for your main project
12 Which code repository do you use for your main project
13 Which private binaryartifact repository do you use
14 Which testing technologies do you use
About your JDK01 Which Java vendorrsquos JDK do you use in production for your
main applications
02 Which Java SE version do you use in production for your main application
03 How do you plan to respond to Javarsquos new release cycle
04 What Java EE version do you use for your main application
05 What is the main JVM language you use for your main application
03 About your platform15 Which cloud platforms do you use
16 Which cloud approaches do you use
17 Which continuous deployment or release automation tools do you use
04 About your application18 Which other (non-JVM) languages does your application use
19 Which Web Frameworks do you use
20 Which ORM frameworks do you use
21 Which database do you use in production
22 Which application server do you use in production for your main application
23 Do you develop on the same application server you use in production
24 How many open source (direct) dependencies does your main application have
05
Table of contents
06 About you27 Where do you do your development work
28 How would you describe yourself
29 How do you rank your security expertise
30 How old are you
31 How many years of paid professional experience with Java do you have
32 What is the size of your company
33 Where do you principally get information about Java online
34 Are you a member of a Java User Group (JUG)
35 How much do you contribute to open source
About your processes25 How often do you release new versions of your code
26 How often do you audit your code
4All rights reserved 2018 copy Snyk amp Java Magazine
Welcome to the largest survey ever of Java developers
The data presented in the following report was taken
from more than 10200 questionnaires If you were one
of those survey-takers many thanks to you for putting
aside the time to share your experience for the benefit of
others
The survey was conducted by publishing its availability to
the Java community at large (via social media primarily)
to Java User Groups around the world including the
Virtual JUG and to subscribers of Java Magazine the
Java bimonthly publication from Oracle Corp As an
inducement to complete the survey a contribution to
Devoxx4Kids was promised by the sponsors of the survey
Snyk and Oracle
Devoxx4Kids organizes events worldwide where children
can develop computer games program robots and also
have an introduction to electronics
Their goal is to introduce teenagers to programming
robotics and engineering in a fun way to show teenagers
that it is possible to do something more creative with
computers
Information regarding respondents including
geographical location company size of their employer (if
any) age and experience with Java are presented at the
end of this survey
We appreciate constructive feedback and comments
especially regarding our analysis If you would like to be
contacted to participate in any future installments of this
survey please let us know We hope you enjoy reading
this report and can glean some useful insights from its
findings
Simon MapleDirector of Developer Advocacy Snyk
simonsnykiosjmaple
Andrew BinstockEditor in Chief Java Magazine Oracle
javamag_usoraclecomplatypusguy
Introduction
5All rights reserved 2018 copy Snyk amp Java Magazine
TLDR Report HighlightsBefore we start this is a fairly long report so herersquos a TLDR overview of the main highlights
7 in 10 developers use the Oracle JDK in production
6 in 10 developers use Maven to build their main project
Almost 6 in 10 developers use Jenkins in CI
Almost 3 in 4 developers use Git as their SCM
Almost 8 in 10 developers use JUnit
4 in 10 developers use Spring Boot
Over 1 in 2 developers use Hibernate in their applications
4 in 10 developers use use Tomcat in production
19 in 20 developers use open source dependencies in their application
2 in 10 developers use OpenJDK in production
8 in 10 developers use Java SE version 8 in production
9 in 20 developers now use IntelliJ IDEA
8
Jenkins JUnit
01About your JDK
All rights reserved 2018 copy Snyk amp Java Magazine 7
01 Which Java vendorrsquos JDK do you use in production for your main applications
We start the report with a core question
With so many vendors providing their own
JDK implementations which offerings are
developers using in production for their
applications
We can see the dominance that Oracle JDK
and OpenJDK have over everyone else With 7
in 10 developers opting to use the Oracle JDK
and a further 2 in 10 opting for the OpenJDK
there isnrsquot much competition However
future licensing and support changes might
cause these numbers to change in the future
None
Other
Azul
Android SDK
Eclipse OpenJ9IBM J9
OpenJDK
Oracle JDK
70
21
42 1
1 1
All rights reserved 2018 copy Snyk amp Java Magazine 8
02 Which Java SE Version do you use in production for your main app
There were significant structural changes to the JDK in Java 9 which many predicted would affect
migration and adoption We can see from the results (note that the survey was open midway between
the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10
respondents say their main applications use it in production Equally significant is that fewer than half
the remaining non-Java 8 respondents are on a more recent version
79
40
0
10
20
30
40
50
60
70
80
49
3 1
11 EA109876 or lower We donrsquot
All rights reserved 2018 copy Snyk amp Java Magazine 9
03 How do you plan to respond to Javarsquos new release cycle
While the Java 9 release brought with it some major
architectural changes it also introduced a new
release cadence in which Java SE versions ship every
six months Every two to three years a Long Term
Support (LTS) release offers longer-term support
such as security updates and so forth Note that
Java 9 is not an LTS release This question asks how
development teams will respond to this new release
cadence The responses were varied suggesting there
is still some uncertainty about how to proceed In fact
almost 1 in 3 developers donrsquot yet know how they will
respond to the new release cycle
We expect that in the forthcoming year best practices
will emerge and companies will settle into a preferred
migration cycle which likely will vary considerably by
industry As a result we expect that the ldquoDonrsquot know
yetrdquo figure will drop but we donrsquot know which of the
other buckets will see increases
Donrsquot know yet
Stay with long-term support (LTS) releases
Decide on a release-by-release basis
Always stay on the latest version of Java
28
8
30
34
10All rights reserved 2018 copy Snyk amp Java Magazine
Almost 4 in 10 respondents claim they do not use
enterprise Java Of those who do the majority are
on version 7 Java EE 8 was released in September
2017 so itrsquos promising to see that within less than a
year of release it is almost the most popular version
Unlike Java SE a release of Java EE takes a
longer to be adopted because it takes longer for
implementations to become available
In addition app server vendors require time to
adopt and implement the specifications
Wersquoll be keen to see how these numbers shift as
Jakarta EE 8 begins its rollout and adoption We
should spare a thought for the 2 who are
struggling on J2EE--a version whose last major
release was in 2003
04 What Java EE version do you use for your main application
2
27
10
0
10
20
30
40
22
2
38
Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot
11All rights reserved 2018 copy Snyk amp Java Magazine
Exactly 9 in 10 JVM users are using Java for their
main applications While many projects today
are defined as multilanguage or polyglot the
part on the JVM primarily runs Java
Despite this strong preference for Java JVM-
based developers have consistently shown great
interest in other JVM languages as supported
by the popularity of articles about them in Java
Magazine and on major programming sites
For the last few years the emerging and ldquohotrdquo
JVM language has been Kotlin from JetBrains
which continues to make steady progress It is
now a supported language for development on
Android and it is the second major language for
writing scripts for the build tool Gradle (behind
Groovy) All this adoption has move Kotlin past
Scala and just past Groovy in our survey
The 30 figure for Clojure is remarkably high
and signals--to us at least--the continued interest
in functional programming The functional
orientation of many Java 8 features shows the
imprint of functional programming on Java itself
05 What is the main JVM language you use for your main application
90
300
242
236
183060
Java
Clojure
Kotlin
Groovy
Scala
Other
02About your tools
All rights reserved 2018 copy Snyk amp Java Magazine 13
06 Which IDE do you develop with
The graph here is consistent with other recent
surveys IntelliJ passing Eclipse in the last one
to two years and Apache NetBeans staying at
around 10 of the market The 45 total votes
of IntelliJ consist of 32 IntelliJ IDEA Ultimate
Edition (the paid version) 11 IntelliJ Community
Edition (the free version) and 2 Android Studio
users The Eclipse category includes Eclipse STS
JBoss tools Rational Application Developer and
other Eclipse-based tools
The numbers of Apache NetBeans users havenrsquot
altered much which suggests that the migration
from Oracle to the Apache Software Foundation
hasnrsquot affected its user base Itrsquos also worth
mentioning that Visual Studio Code has made an
appearance which although is only 1 shows itrsquos
starting to make its mark in the Java community
Also a tip of the hat to the lsquovivimemacsetcrsquo
group who are probably reading this report on a
tablet (carved out of stone)
3
38
11
0
10
20
30
40
45
1 1
ApacheNetBeans
EclipseIDE
IntelliJIDEA
ViVimEmacsetc
Visual StudioCode
OracleJDeveloper
PaidFree
All rights reserved 2018 copy Snyk amp Java Magazine 14
07 Which build tool do you use for your main project
In examining the numbers itrsquos important to note that we
asked for the principal build tool used We want to know
which build tool you rely on for your main project It can
also be interesting to know which build tools teams use
across all their projects but the plethora of answers tends
to dilute the usefulness of the responses As we can see
here Maven clearly dominates with a 31 ratio over itrsquos
closest rival Gradle Ant is still in use by 1 in 10 developers
whereas 1 in 20 use nothing
In a 2016 version of a similar survey by RebelLabs (2000
respondents) Maven stood at 68 and Gradle at 16
Gradlersquos improved adoption rate is due perhaps to the
addition of support for Kotlin as the scripting language
Gradle is also the default build engine for Android projects
However its progress against Maven has been slow
6
60
11
0
10
20
30
40
50
60
19
4
AntMaven Gradle NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
05
Table of contents
06 About you27 Where do you do your development work
28 How would you describe yourself
29 How do you rank your security expertise
30 How old are you
31 How many years of paid professional experience with Java do you have
32 What is the size of your company
33 Where do you principally get information about Java online
34 Are you a member of a Java User Group (JUG)
35 How much do you contribute to open source
About your processes25 How often do you release new versions of your code
26 How often do you audit your code
4All rights reserved 2018 copy Snyk amp Java Magazine
Welcome to the largest survey ever of Java developers
The data presented in the following report was taken
from more than 10200 questionnaires If you were one
of those survey-takers many thanks to you for putting
aside the time to share your experience for the benefit of
others
The survey was conducted by publishing its availability to
the Java community at large (via social media primarily)
to Java User Groups around the world including the
Virtual JUG and to subscribers of Java Magazine the
Java bimonthly publication from Oracle Corp As an
inducement to complete the survey a contribution to
Devoxx4Kids was promised by the sponsors of the survey
Snyk and Oracle
Devoxx4Kids organizes events worldwide where children
can develop computer games program robots and also
have an introduction to electronics
Their goal is to introduce teenagers to programming
robotics and engineering in a fun way to show teenagers
that it is possible to do something more creative with
computers
Information regarding respondents including
geographical location company size of their employer (if
any) age and experience with Java are presented at the
end of this survey
We appreciate constructive feedback and comments
especially regarding our analysis If you would like to be
contacted to participate in any future installments of this
survey please let us know We hope you enjoy reading
this report and can glean some useful insights from its
findings
Simon MapleDirector of Developer Advocacy Snyk
simonsnykiosjmaple
Andrew BinstockEditor in Chief Java Magazine Oracle
javamag_usoraclecomplatypusguy
Introduction
5All rights reserved 2018 copy Snyk amp Java Magazine
TLDR Report HighlightsBefore we start this is a fairly long report so herersquos a TLDR overview of the main highlights
7 in 10 developers use the Oracle JDK in production
6 in 10 developers use Maven to build their main project
Almost 6 in 10 developers use Jenkins in CI
Almost 3 in 4 developers use Git as their SCM
Almost 8 in 10 developers use JUnit
4 in 10 developers use Spring Boot
Over 1 in 2 developers use Hibernate in their applications
4 in 10 developers use use Tomcat in production
19 in 20 developers use open source dependencies in their application
2 in 10 developers use OpenJDK in production
8 in 10 developers use Java SE version 8 in production
9 in 20 developers now use IntelliJ IDEA
8
Jenkins JUnit
01About your JDK
All rights reserved 2018 copy Snyk amp Java Magazine 7
01 Which Java vendorrsquos JDK do you use in production for your main applications
We start the report with a core question
With so many vendors providing their own
JDK implementations which offerings are
developers using in production for their
applications
We can see the dominance that Oracle JDK
and OpenJDK have over everyone else With 7
in 10 developers opting to use the Oracle JDK
and a further 2 in 10 opting for the OpenJDK
there isnrsquot much competition However
future licensing and support changes might
cause these numbers to change in the future
None
Other
Azul
Android SDK
Eclipse OpenJ9IBM J9
OpenJDK
Oracle JDK
70
21
42 1
1 1
All rights reserved 2018 copy Snyk amp Java Magazine 8
02 Which Java SE Version do you use in production for your main app
There were significant structural changes to the JDK in Java 9 which many predicted would affect
migration and adoption We can see from the results (note that the survey was open midway between
the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10
respondents say their main applications use it in production Equally significant is that fewer than half
the remaining non-Java 8 respondents are on a more recent version
79
40
0
10
20
30
40
50
60
70
80
49
3 1
11 EA109876 or lower We donrsquot
All rights reserved 2018 copy Snyk amp Java Magazine 9
03 How do you plan to respond to Javarsquos new release cycle
While the Java 9 release brought with it some major
architectural changes it also introduced a new
release cadence in which Java SE versions ship every
six months Every two to three years a Long Term
Support (LTS) release offers longer-term support
such as security updates and so forth Note that
Java 9 is not an LTS release This question asks how
development teams will respond to this new release
cadence The responses were varied suggesting there
is still some uncertainty about how to proceed In fact
almost 1 in 3 developers donrsquot yet know how they will
respond to the new release cycle
We expect that in the forthcoming year best practices
will emerge and companies will settle into a preferred
migration cycle which likely will vary considerably by
industry As a result we expect that the ldquoDonrsquot know
yetrdquo figure will drop but we donrsquot know which of the
other buckets will see increases
Donrsquot know yet
Stay with long-term support (LTS) releases
Decide on a release-by-release basis
Always stay on the latest version of Java
28
8
30
34
10All rights reserved 2018 copy Snyk amp Java Magazine
Almost 4 in 10 respondents claim they do not use
enterprise Java Of those who do the majority are
on version 7 Java EE 8 was released in September
2017 so itrsquos promising to see that within less than a
year of release it is almost the most popular version
Unlike Java SE a release of Java EE takes a
longer to be adopted because it takes longer for
implementations to become available
In addition app server vendors require time to
adopt and implement the specifications
Wersquoll be keen to see how these numbers shift as
Jakarta EE 8 begins its rollout and adoption We
should spare a thought for the 2 who are
struggling on J2EE--a version whose last major
release was in 2003
04 What Java EE version do you use for your main application
2
27
10
0
10
20
30
40
22
2
38
Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot
11All rights reserved 2018 copy Snyk amp Java Magazine
Exactly 9 in 10 JVM users are using Java for their
main applications While many projects today
are defined as multilanguage or polyglot the
part on the JVM primarily runs Java
Despite this strong preference for Java JVM-
based developers have consistently shown great
interest in other JVM languages as supported
by the popularity of articles about them in Java
Magazine and on major programming sites
For the last few years the emerging and ldquohotrdquo
JVM language has been Kotlin from JetBrains
which continues to make steady progress It is
now a supported language for development on
Android and it is the second major language for
writing scripts for the build tool Gradle (behind
Groovy) All this adoption has move Kotlin past
Scala and just past Groovy in our survey
The 30 figure for Clojure is remarkably high
and signals--to us at least--the continued interest
in functional programming The functional
orientation of many Java 8 features shows the
imprint of functional programming on Java itself
05 What is the main JVM language you use for your main application
90
300
242
236
183060
Java
Clojure
Kotlin
Groovy
Scala
Other
02About your tools
All rights reserved 2018 copy Snyk amp Java Magazine 13
06 Which IDE do you develop with
The graph here is consistent with other recent
surveys IntelliJ passing Eclipse in the last one
to two years and Apache NetBeans staying at
around 10 of the market The 45 total votes
of IntelliJ consist of 32 IntelliJ IDEA Ultimate
Edition (the paid version) 11 IntelliJ Community
Edition (the free version) and 2 Android Studio
users The Eclipse category includes Eclipse STS
JBoss tools Rational Application Developer and
other Eclipse-based tools
The numbers of Apache NetBeans users havenrsquot
altered much which suggests that the migration
from Oracle to the Apache Software Foundation
hasnrsquot affected its user base Itrsquos also worth
mentioning that Visual Studio Code has made an
appearance which although is only 1 shows itrsquos
starting to make its mark in the Java community
Also a tip of the hat to the lsquovivimemacsetcrsquo
group who are probably reading this report on a
tablet (carved out of stone)
3
38
11
0
10
20
30
40
45
1 1
ApacheNetBeans
EclipseIDE
IntelliJIDEA
ViVimEmacsetc
Visual StudioCode
OracleJDeveloper
PaidFree
All rights reserved 2018 copy Snyk amp Java Magazine 14
07 Which build tool do you use for your main project
In examining the numbers itrsquos important to note that we
asked for the principal build tool used We want to know
which build tool you rely on for your main project It can
also be interesting to know which build tools teams use
across all their projects but the plethora of answers tends
to dilute the usefulness of the responses As we can see
here Maven clearly dominates with a 31 ratio over itrsquos
closest rival Gradle Ant is still in use by 1 in 10 developers
whereas 1 in 20 use nothing
In a 2016 version of a similar survey by RebelLabs (2000
respondents) Maven stood at 68 and Gradle at 16
Gradlersquos improved adoption rate is due perhaps to the
addition of support for Kotlin as the scripting language
Gradle is also the default build engine for Android projects
However its progress against Maven has been slow
6
60
11
0
10
20
30
40
50
60
19
4
AntMaven Gradle NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
4All rights reserved 2018 copy Snyk amp Java Magazine
Welcome to the largest survey ever of Java developers
The data presented in the following report was taken
from more than 10200 questionnaires If you were one
of those survey-takers many thanks to you for putting
aside the time to share your experience for the benefit of
others
The survey was conducted by publishing its availability to
the Java community at large (via social media primarily)
to Java User Groups around the world including the
Virtual JUG and to subscribers of Java Magazine the
Java bimonthly publication from Oracle Corp As an
inducement to complete the survey a contribution to
Devoxx4Kids was promised by the sponsors of the survey
Snyk and Oracle
Devoxx4Kids organizes events worldwide where children
can develop computer games program robots and also
have an introduction to electronics
Their goal is to introduce teenagers to programming
robotics and engineering in a fun way to show teenagers
that it is possible to do something more creative with
computers
Information regarding respondents including
geographical location company size of their employer (if
any) age and experience with Java are presented at the
end of this survey
We appreciate constructive feedback and comments
especially regarding our analysis If you would like to be
contacted to participate in any future installments of this
survey please let us know We hope you enjoy reading
this report and can glean some useful insights from its
findings
Simon MapleDirector of Developer Advocacy Snyk
simonsnykiosjmaple
Andrew BinstockEditor in Chief Java Magazine Oracle
javamag_usoraclecomplatypusguy
Introduction
5All rights reserved 2018 copy Snyk amp Java Magazine
TLDR Report HighlightsBefore we start this is a fairly long report so herersquos a TLDR overview of the main highlights
7 in 10 developers use the Oracle JDK in production
6 in 10 developers use Maven to build their main project
Almost 6 in 10 developers use Jenkins in CI
Almost 3 in 4 developers use Git as their SCM
Almost 8 in 10 developers use JUnit
4 in 10 developers use Spring Boot
Over 1 in 2 developers use Hibernate in their applications
4 in 10 developers use use Tomcat in production
19 in 20 developers use open source dependencies in their application
2 in 10 developers use OpenJDK in production
8 in 10 developers use Java SE version 8 in production
9 in 20 developers now use IntelliJ IDEA
8
Jenkins JUnit
01About your JDK
All rights reserved 2018 copy Snyk amp Java Magazine 7
01 Which Java vendorrsquos JDK do you use in production for your main applications
We start the report with a core question
With so many vendors providing their own
JDK implementations which offerings are
developers using in production for their
applications
We can see the dominance that Oracle JDK
and OpenJDK have over everyone else With 7
in 10 developers opting to use the Oracle JDK
and a further 2 in 10 opting for the OpenJDK
there isnrsquot much competition However
future licensing and support changes might
cause these numbers to change in the future
None
Other
Azul
Android SDK
Eclipse OpenJ9IBM J9
OpenJDK
Oracle JDK
70
21
42 1
1 1
All rights reserved 2018 copy Snyk amp Java Magazine 8
02 Which Java SE Version do you use in production for your main app
There were significant structural changes to the JDK in Java 9 which many predicted would affect
migration and adoption We can see from the results (note that the survey was open midway between
the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10
respondents say their main applications use it in production Equally significant is that fewer than half
the remaining non-Java 8 respondents are on a more recent version
79
40
0
10
20
30
40
50
60
70
80
49
3 1
11 EA109876 or lower We donrsquot
All rights reserved 2018 copy Snyk amp Java Magazine 9
03 How do you plan to respond to Javarsquos new release cycle
While the Java 9 release brought with it some major
architectural changes it also introduced a new
release cadence in which Java SE versions ship every
six months Every two to three years a Long Term
Support (LTS) release offers longer-term support
such as security updates and so forth Note that
Java 9 is not an LTS release This question asks how
development teams will respond to this new release
cadence The responses were varied suggesting there
is still some uncertainty about how to proceed In fact
almost 1 in 3 developers donrsquot yet know how they will
respond to the new release cycle
We expect that in the forthcoming year best practices
will emerge and companies will settle into a preferred
migration cycle which likely will vary considerably by
industry As a result we expect that the ldquoDonrsquot know
yetrdquo figure will drop but we donrsquot know which of the
other buckets will see increases
Donrsquot know yet
Stay with long-term support (LTS) releases
Decide on a release-by-release basis
Always stay on the latest version of Java
28
8
30
34
10All rights reserved 2018 copy Snyk amp Java Magazine
Almost 4 in 10 respondents claim they do not use
enterprise Java Of those who do the majority are
on version 7 Java EE 8 was released in September
2017 so itrsquos promising to see that within less than a
year of release it is almost the most popular version
Unlike Java SE a release of Java EE takes a
longer to be adopted because it takes longer for
implementations to become available
In addition app server vendors require time to
adopt and implement the specifications
Wersquoll be keen to see how these numbers shift as
Jakarta EE 8 begins its rollout and adoption We
should spare a thought for the 2 who are
struggling on J2EE--a version whose last major
release was in 2003
04 What Java EE version do you use for your main application
2
27
10
0
10
20
30
40
22
2
38
Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot
11All rights reserved 2018 copy Snyk amp Java Magazine
Exactly 9 in 10 JVM users are using Java for their
main applications While many projects today
are defined as multilanguage or polyglot the
part on the JVM primarily runs Java
Despite this strong preference for Java JVM-
based developers have consistently shown great
interest in other JVM languages as supported
by the popularity of articles about them in Java
Magazine and on major programming sites
For the last few years the emerging and ldquohotrdquo
JVM language has been Kotlin from JetBrains
which continues to make steady progress It is
now a supported language for development on
Android and it is the second major language for
writing scripts for the build tool Gradle (behind
Groovy) All this adoption has move Kotlin past
Scala and just past Groovy in our survey
The 30 figure for Clojure is remarkably high
and signals--to us at least--the continued interest
in functional programming The functional
orientation of many Java 8 features shows the
imprint of functional programming on Java itself
05 What is the main JVM language you use for your main application
90
300
242
236
183060
Java
Clojure
Kotlin
Groovy
Scala
Other
02About your tools
All rights reserved 2018 copy Snyk amp Java Magazine 13
06 Which IDE do you develop with
The graph here is consistent with other recent
surveys IntelliJ passing Eclipse in the last one
to two years and Apache NetBeans staying at
around 10 of the market The 45 total votes
of IntelliJ consist of 32 IntelliJ IDEA Ultimate
Edition (the paid version) 11 IntelliJ Community
Edition (the free version) and 2 Android Studio
users The Eclipse category includes Eclipse STS
JBoss tools Rational Application Developer and
other Eclipse-based tools
The numbers of Apache NetBeans users havenrsquot
altered much which suggests that the migration
from Oracle to the Apache Software Foundation
hasnrsquot affected its user base Itrsquos also worth
mentioning that Visual Studio Code has made an
appearance which although is only 1 shows itrsquos
starting to make its mark in the Java community
Also a tip of the hat to the lsquovivimemacsetcrsquo
group who are probably reading this report on a
tablet (carved out of stone)
3
38
11
0
10
20
30
40
45
1 1
ApacheNetBeans
EclipseIDE
IntelliJIDEA
ViVimEmacsetc
Visual StudioCode
OracleJDeveloper
PaidFree
All rights reserved 2018 copy Snyk amp Java Magazine 14
07 Which build tool do you use for your main project
In examining the numbers itrsquos important to note that we
asked for the principal build tool used We want to know
which build tool you rely on for your main project It can
also be interesting to know which build tools teams use
across all their projects but the plethora of answers tends
to dilute the usefulness of the responses As we can see
here Maven clearly dominates with a 31 ratio over itrsquos
closest rival Gradle Ant is still in use by 1 in 10 developers
whereas 1 in 20 use nothing
In a 2016 version of a similar survey by RebelLabs (2000
respondents) Maven stood at 68 and Gradle at 16
Gradlersquos improved adoption rate is due perhaps to the
addition of support for Kotlin as the scripting language
Gradle is also the default build engine for Android projects
However its progress against Maven has been slow
6
60
11
0
10
20
30
40
50
60
19
4
AntMaven Gradle NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
5All rights reserved 2018 copy Snyk amp Java Magazine
TLDR Report HighlightsBefore we start this is a fairly long report so herersquos a TLDR overview of the main highlights
7 in 10 developers use the Oracle JDK in production
6 in 10 developers use Maven to build their main project
Almost 6 in 10 developers use Jenkins in CI
Almost 3 in 4 developers use Git as their SCM
Almost 8 in 10 developers use JUnit
4 in 10 developers use Spring Boot
Over 1 in 2 developers use Hibernate in their applications
4 in 10 developers use use Tomcat in production
19 in 20 developers use open source dependencies in their application
2 in 10 developers use OpenJDK in production
8 in 10 developers use Java SE version 8 in production
9 in 20 developers now use IntelliJ IDEA
8
Jenkins JUnit
01About your JDK
All rights reserved 2018 copy Snyk amp Java Magazine 7
01 Which Java vendorrsquos JDK do you use in production for your main applications
We start the report with a core question
With so many vendors providing their own
JDK implementations which offerings are
developers using in production for their
applications
We can see the dominance that Oracle JDK
and OpenJDK have over everyone else With 7
in 10 developers opting to use the Oracle JDK
and a further 2 in 10 opting for the OpenJDK
there isnrsquot much competition However
future licensing and support changes might
cause these numbers to change in the future
None
Other
Azul
Android SDK
Eclipse OpenJ9IBM J9
OpenJDK
Oracle JDK
70
21
42 1
1 1
All rights reserved 2018 copy Snyk amp Java Magazine 8
02 Which Java SE Version do you use in production for your main app
There were significant structural changes to the JDK in Java 9 which many predicted would affect
migration and adoption We can see from the results (note that the survey was open midway between
the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10
respondents say their main applications use it in production Equally significant is that fewer than half
the remaining non-Java 8 respondents are on a more recent version
79
40
0
10
20
30
40
50
60
70
80
49
3 1
11 EA109876 or lower We donrsquot
All rights reserved 2018 copy Snyk amp Java Magazine 9
03 How do you plan to respond to Javarsquos new release cycle
While the Java 9 release brought with it some major
architectural changes it also introduced a new
release cadence in which Java SE versions ship every
six months Every two to three years a Long Term
Support (LTS) release offers longer-term support
such as security updates and so forth Note that
Java 9 is not an LTS release This question asks how
development teams will respond to this new release
cadence The responses were varied suggesting there
is still some uncertainty about how to proceed In fact
almost 1 in 3 developers donrsquot yet know how they will
respond to the new release cycle
We expect that in the forthcoming year best practices
will emerge and companies will settle into a preferred
migration cycle which likely will vary considerably by
industry As a result we expect that the ldquoDonrsquot know
yetrdquo figure will drop but we donrsquot know which of the
other buckets will see increases
Donrsquot know yet
Stay with long-term support (LTS) releases
Decide on a release-by-release basis
Always stay on the latest version of Java
28
8
30
34
10All rights reserved 2018 copy Snyk amp Java Magazine
Almost 4 in 10 respondents claim they do not use
enterprise Java Of those who do the majority are
on version 7 Java EE 8 was released in September
2017 so itrsquos promising to see that within less than a
year of release it is almost the most popular version
Unlike Java SE a release of Java EE takes a
longer to be adopted because it takes longer for
implementations to become available
In addition app server vendors require time to
adopt and implement the specifications
Wersquoll be keen to see how these numbers shift as
Jakarta EE 8 begins its rollout and adoption We
should spare a thought for the 2 who are
struggling on J2EE--a version whose last major
release was in 2003
04 What Java EE version do you use for your main application
2
27
10
0
10
20
30
40
22
2
38
Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot
11All rights reserved 2018 copy Snyk amp Java Magazine
Exactly 9 in 10 JVM users are using Java for their
main applications While many projects today
are defined as multilanguage or polyglot the
part on the JVM primarily runs Java
Despite this strong preference for Java JVM-
based developers have consistently shown great
interest in other JVM languages as supported
by the popularity of articles about them in Java
Magazine and on major programming sites
For the last few years the emerging and ldquohotrdquo
JVM language has been Kotlin from JetBrains
which continues to make steady progress It is
now a supported language for development on
Android and it is the second major language for
writing scripts for the build tool Gradle (behind
Groovy) All this adoption has move Kotlin past
Scala and just past Groovy in our survey
The 30 figure for Clojure is remarkably high
and signals--to us at least--the continued interest
in functional programming The functional
orientation of many Java 8 features shows the
imprint of functional programming on Java itself
05 What is the main JVM language you use for your main application
90
300
242
236
183060
Java
Clojure
Kotlin
Groovy
Scala
Other
02About your tools
All rights reserved 2018 copy Snyk amp Java Magazine 13
06 Which IDE do you develop with
The graph here is consistent with other recent
surveys IntelliJ passing Eclipse in the last one
to two years and Apache NetBeans staying at
around 10 of the market The 45 total votes
of IntelliJ consist of 32 IntelliJ IDEA Ultimate
Edition (the paid version) 11 IntelliJ Community
Edition (the free version) and 2 Android Studio
users The Eclipse category includes Eclipse STS
JBoss tools Rational Application Developer and
other Eclipse-based tools
The numbers of Apache NetBeans users havenrsquot
altered much which suggests that the migration
from Oracle to the Apache Software Foundation
hasnrsquot affected its user base Itrsquos also worth
mentioning that Visual Studio Code has made an
appearance which although is only 1 shows itrsquos
starting to make its mark in the Java community
Also a tip of the hat to the lsquovivimemacsetcrsquo
group who are probably reading this report on a
tablet (carved out of stone)
3
38
11
0
10
20
30
40
45
1 1
ApacheNetBeans
EclipseIDE
IntelliJIDEA
ViVimEmacsetc
Visual StudioCode
OracleJDeveloper
PaidFree
All rights reserved 2018 copy Snyk amp Java Magazine 14
07 Which build tool do you use for your main project
In examining the numbers itrsquos important to note that we
asked for the principal build tool used We want to know
which build tool you rely on for your main project It can
also be interesting to know which build tools teams use
across all their projects but the plethora of answers tends
to dilute the usefulness of the responses As we can see
here Maven clearly dominates with a 31 ratio over itrsquos
closest rival Gradle Ant is still in use by 1 in 10 developers
whereas 1 in 20 use nothing
In a 2016 version of a similar survey by RebelLabs (2000
respondents) Maven stood at 68 and Gradle at 16
Gradlersquos improved adoption rate is due perhaps to the
addition of support for Kotlin as the scripting language
Gradle is also the default build engine for Android projects
However its progress against Maven has been slow
6
60
11
0
10
20
30
40
50
60
19
4
AntMaven Gradle NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
01About your JDK
All rights reserved 2018 copy Snyk amp Java Magazine 7
01 Which Java vendorrsquos JDK do you use in production for your main applications
We start the report with a core question
With so many vendors providing their own
JDK implementations which offerings are
developers using in production for their
applications
We can see the dominance that Oracle JDK
and OpenJDK have over everyone else With 7
in 10 developers opting to use the Oracle JDK
and a further 2 in 10 opting for the OpenJDK
there isnrsquot much competition However
future licensing and support changes might
cause these numbers to change in the future
None
Other
Azul
Android SDK
Eclipse OpenJ9IBM J9
OpenJDK
Oracle JDK
70
21
42 1
1 1
All rights reserved 2018 copy Snyk amp Java Magazine 8
02 Which Java SE Version do you use in production for your main app
There were significant structural changes to the JDK in Java 9 which many predicted would affect
migration and adoption We can see from the results (note that the survey was open midway between
the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10
respondents say their main applications use it in production Equally significant is that fewer than half
the remaining non-Java 8 respondents are on a more recent version
79
40
0
10
20
30
40
50
60
70
80
49
3 1
11 EA109876 or lower We donrsquot
All rights reserved 2018 copy Snyk amp Java Magazine 9
03 How do you plan to respond to Javarsquos new release cycle
While the Java 9 release brought with it some major
architectural changes it also introduced a new
release cadence in which Java SE versions ship every
six months Every two to three years a Long Term
Support (LTS) release offers longer-term support
such as security updates and so forth Note that
Java 9 is not an LTS release This question asks how
development teams will respond to this new release
cadence The responses were varied suggesting there
is still some uncertainty about how to proceed In fact
almost 1 in 3 developers donrsquot yet know how they will
respond to the new release cycle
We expect that in the forthcoming year best practices
will emerge and companies will settle into a preferred
migration cycle which likely will vary considerably by
industry As a result we expect that the ldquoDonrsquot know
yetrdquo figure will drop but we donrsquot know which of the
other buckets will see increases
Donrsquot know yet
Stay with long-term support (LTS) releases
Decide on a release-by-release basis
Always stay on the latest version of Java
28
8
30
34
10All rights reserved 2018 copy Snyk amp Java Magazine
Almost 4 in 10 respondents claim they do not use
enterprise Java Of those who do the majority are
on version 7 Java EE 8 was released in September
2017 so itrsquos promising to see that within less than a
year of release it is almost the most popular version
Unlike Java SE a release of Java EE takes a
longer to be adopted because it takes longer for
implementations to become available
In addition app server vendors require time to
adopt and implement the specifications
Wersquoll be keen to see how these numbers shift as
Jakarta EE 8 begins its rollout and adoption We
should spare a thought for the 2 who are
struggling on J2EE--a version whose last major
release was in 2003
04 What Java EE version do you use for your main application
2
27
10
0
10
20
30
40
22
2
38
Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot
11All rights reserved 2018 copy Snyk amp Java Magazine
Exactly 9 in 10 JVM users are using Java for their
main applications While many projects today
are defined as multilanguage or polyglot the
part on the JVM primarily runs Java
Despite this strong preference for Java JVM-
based developers have consistently shown great
interest in other JVM languages as supported
by the popularity of articles about them in Java
Magazine and on major programming sites
For the last few years the emerging and ldquohotrdquo
JVM language has been Kotlin from JetBrains
which continues to make steady progress It is
now a supported language for development on
Android and it is the second major language for
writing scripts for the build tool Gradle (behind
Groovy) All this adoption has move Kotlin past
Scala and just past Groovy in our survey
The 30 figure for Clojure is remarkably high
and signals--to us at least--the continued interest
in functional programming The functional
orientation of many Java 8 features shows the
imprint of functional programming on Java itself
05 What is the main JVM language you use for your main application
90
300
242
236
183060
Java
Clojure
Kotlin
Groovy
Scala
Other
02About your tools
All rights reserved 2018 copy Snyk amp Java Magazine 13
06 Which IDE do you develop with
The graph here is consistent with other recent
surveys IntelliJ passing Eclipse in the last one
to two years and Apache NetBeans staying at
around 10 of the market The 45 total votes
of IntelliJ consist of 32 IntelliJ IDEA Ultimate
Edition (the paid version) 11 IntelliJ Community
Edition (the free version) and 2 Android Studio
users The Eclipse category includes Eclipse STS
JBoss tools Rational Application Developer and
other Eclipse-based tools
The numbers of Apache NetBeans users havenrsquot
altered much which suggests that the migration
from Oracle to the Apache Software Foundation
hasnrsquot affected its user base Itrsquos also worth
mentioning that Visual Studio Code has made an
appearance which although is only 1 shows itrsquos
starting to make its mark in the Java community
Also a tip of the hat to the lsquovivimemacsetcrsquo
group who are probably reading this report on a
tablet (carved out of stone)
3
38
11
0
10
20
30
40
45
1 1
ApacheNetBeans
EclipseIDE
IntelliJIDEA
ViVimEmacsetc
Visual StudioCode
OracleJDeveloper
PaidFree
All rights reserved 2018 copy Snyk amp Java Magazine 14
07 Which build tool do you use for your main project
In examining the numbers itrsquos important to note that we
asked for the principal build tool used We want to know
which build tool you rely on for your main project It can
also be interesting to know which build tools teams use
across all their projects but the plethora of answers tends
to dilute the usefulness of the responses As we can see
here Maven clearly dominates with a 31 ratio over itrsquos
closest rival Gradle Ant is still in use by 1 in 10 developers
whereas 1 in 20 use nothing
In a 2016 version of a similar survey by RebelLabs (2000
respondents) Maven stood at 68 and Gradle at 16
Gradlersquos improved adoption rate is due perhaps to the
addition of support for Kotlin as the scripting language
Gradle is also the default build engine for Android projects
However its progress against Maven has been slow
6
60
11
0
10
20
30
40
50
60
19
4
AntMaven Gradle NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 7
01 Which Java vendorrsquos JDK do you use in production for your main applications
We start the report with a core question
With so many vendors providing their own
JDK implementations which offerings are
developers using in production for their
applications
We can see the dominance that Oracle JDK
and OpenJDK have over everyone else With 7
in 10 developers opting to use the Oracle JDK
and a further 2 in 10 opting for the OpenJDK
there isnrsquot much competition However
future licensing and support changes might
cause these numbers to change in the future
None
Other
Azul
Android SDK
Eclipse OpenJ9IBM J9
OpenJDK
Oracle JDK
70
21
42 1
1 1
All rights reserved 2018 copy Snyk amp Java Magazine 8
02 Which Java SE Version do you use in production for your main app
There were significant structural changes to the JDK in Java 9 which many predicted would affect
migration and adoption We can see from the results (note that the survey was open midway between
the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10
respondents say their main applications use it in production Equally significant is that fewer than half
the remaining non-Java 8 respondents are on a more recent version
79
40
0
10
20
30
40
50
60
70
80
49
3 1
11 EA109876 or lower We donrsquot
All rights reserved 2018 copy Snyk amp Java Magazine 9
03 How do you plan to respond to Javarsquos new release cycle
While the Java 9 release brought with it some major
architectural changes it also introduced a new
release cadence in which Java SE versions ship every
six months Every two to three years a Long Term
Support (LTS) release offers longer-term support
such as security updates and so forth Note that
Java 9 is not an LTS release This question asks how
development teams will respond to this new release
cadence The responses were varied suggesting there
is still some uncertainty about how to proceed In fact
almost 1 in 3 developers donrsquot yet know how they will
respond to the new release cycle
We expect that in the forthcoming year best practices
will emerge and companies will settle into a preferred
migration cycle which likely will vary considerably by
industry As a result we expect that the ldquoDonrsquot know
yetrdquo figure will drop but we donrsquot know which of the
other buckets will see increases
Donrsquot know yet
Stay with long-term support (LTS) releases
Decide on a release-by-release basis
Always stay on the latest version of Java
28
8
30
34
10All rights reserved 2018 copy Snyk amp Java Magazine
Almost 4 in 10 respondents claim they do not use
enterprise Java Of those who do the majority are
on version 7 Java EE 8 was released in September
2017 so itrsquos promising to see that within less than a
year of release it is almost the most popular version
Unlike Java SE a release of Java EE takes a
longer to be adopted because it takes longer for
implementations to become available
In addition app server vendors require time to
adopt and implement the specifications
Wersquoll be keen to see how these numbers shift as
Jakarta EE 8 begins its rollout and adoption We
should spare a thought for the 2 who are
struggling on J2EE--a version whose last major
release was in 2003
04 What Java EE version do you use for your main application
2
27
10
0
10
20
30
40
22
2
38
Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot
11All rights reserved 2018 copy Snyk amp Java Magazine
Exactly 9 in 10 JVM users are using Java for their
main applications While many projects today
are defined as multilanguage or polyglot the
part on the JVM primarily runs Java
Despite this strong preference for Java JVM-
based developers have consistently shown great
interest in other JVM languages as supported
by the popularity of articles about them in Java
Magazine and on major programming sites
For the last few years the emerging and ldquohotrdquo
JVM language has been Kotlin from JetBrains
which continues to make steady progress It is
now a supported language for development on
Android and it is the second major language for
writing scripts for the build tool Gradle (behind
Groovy) All this adoption has move Kotlin past
Scala and just past Groovy in our survey
The 30 figure for Clojure is remarkably high
and signals--to us at least--the continued interest
in functional programming The functional
orientation of many Java 8 features shows the
imprint of functional programming on Java itself
05 What is the main JVM language you use for your main application
90
300
242
236
183060
Java
Clojure
Kotlin
Groovy
Scala
Other
02About your tools
All rights reserved 2018 copy Snyk amp Java Magazine 13
06 Which IDE do you develop with
The graph here is consistent with other recent
surveys IntelliJ passing Eclipse in the last one
to two years and Apache NetBeans staying at
around 10 of the market The 45 total votes
of IntelliJ consist of 32 IntelliJ IDEA Ultimate
Edition (the paid version) 11 IntelliJ Community
Edition (the free version) and 2 Android Studio
users The Eclipse category includes Eclipse STS
JBoss tools Rational Application Developer and
other Eclipse-based tools
The numbers of Apache NetBeans users havenrsquot
altered much which suggests that the migration
from Oracle to the Apache Software Foundation
hasnrsquot affected its user base Itrsquos also worth
mentioning that Visual Studio Code has made an
appearance which although is only 1 shows itrsquos
starting to make its mark in the Java community
Also a tip of the hat to the lsquovivimemacsetcrsquo
group who are probably reading this report on a
tablet (carved out of stone)
3
38
11
0
10
20
30
40
45
1 1
ApacheNetBeans
EclipseIDE
IntelliJIDEA
ViVimEmacsetc
Visual StudioCode
OracleJDeveloper
PaidFree
All rights reserved 2018 copy Snyk amp Java Magazine 14
07 Which build tool do you use for your main project
In examining the numbers itrsquos important to note that we
asked for the principal build tool used We want to know
which build tool you rely on for your main project It can
also be interesting to know which build tools teams use
across all their projects but the plethora of answers tends
to dilute the usefulness of the responses As we can see
here Maven clearly dominates with a 31 ratio over itrsquos
closest rival Gradle Ant is still in use by 1 in 10 developers
whereas 1 in 20 use nothing
In a 2016 version of a similar survey by RebelLabs (2000
respondents) Maven stood at 68 and Gradle at 16
Gradlersquos improved adoption rate is due perhaps to the
addition of support for Kotlin as the scripting language
Gradle is also the default build engine for Android projects
However its progress against Maven has been slow
6
60
11
0
10
20
30
40
50
60
19
4
AntMaven Gradle NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 8
02 Which Java SE Version do you use in production for your main app
There were significant structural changes to the JDK in Java 9 which many predicted would affect
migration and adoption We can see from the results (note that the survey was open midway between
the releases of Java 10 and Java 11) that Java 8 is still the most dominant version of Java--almost 8 in 10
respondents say their main applications use it in production Equally significant is that fewer than half
the remaining non-Java 8 respondents are on a more recent version
79
40
0
10
20
30
40
50
60
70
80
49
3 1
11 EA109876 or lower We donrsquot
All rights reserved 2018 copy Snyk amp Java Magazine 9
03 How do you plan to respond to Javarsquos new release cycle
While the Java 9 release brought with it some major
architectural changes it also introduced a new
release cadence in which Java SE versions ship every
six months Every two to three years a Long Term
Support (LTS) release offers longer-term support
such as security updates and so forth Note that
Java 9 is not an LTS release This question asks how
development teams will respond to this new release
cadence The responses were varied suggesting there
is still some uncertainty about how to proceed In fact
almost 1 in 3 developers donrsquot yet know how they will
respond to the new release cycle
We expect that in the forthcoming year best practices
will emerge and companies will settle into a preferred
migration cycle which likely will vary considerably by
industry As a result we expect that the ldquoDonrsquot know
yetrdquo figure will drop but we donrsquot know which of the
other buckets will see increases
Donrsquot know yet
Stay with long-term support (LTS) releases
Decide on a release-by-release basis
Always stay on the latest version of Java
28
8
30
34
10All rights reserved 2018 copy Snyk amp Java Magazine
Almost 4 in 10 respondents claim they do not use
enterprise Java Of those who do the majority are
on version 7 Java EE 8 was released in September
2017 so itrsquos promising to see that within less than a
year of release it is almost the most popular version
Unlike Java SE a release of Java EE takes a
longer to be adopted because it takes longer for
implementations to become available
In addition app server vendors require time to
adopt and implement the specifications
Wersquoll be keen to see how these numbers shift as
Jakarta EE 8 begins its rollout and adoption We
should spare a thought for the 2 who are
struggling on J2EE--a version whose last major
release was in 2003
04 What Java EE version do you use for your main application
2
27
10
0
10
20
30
40
22
2
38
Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot
11All rights reserved 2018 copy Snyk amp Java Magazine
Exactly 9 in 10 JVM users are using Java for their
main applications While many projects today
are defined as multilanguage or polyglot the
part on the JVM primarily runs Java
Despite this strong preference for Java JVM-
based developers have consistently shown great
interest in other JVM languages as supported
by the popularity of articles about them in Java
Magazine and on major programming sites
For the last few years the emerging and ldquohotrdquo
JVM language has been Kotlin from JetBrains
which continues to make steady progress It is
now a supported language for development on
Android and it is the second major language for
writing scripts for the build tool Gradle (behind
Groovy) All this adoption has move Kotlin past
Scala and just past Groovy in our survey
The 30 figure for Clojure is remarkably high
and signals--to us at least--the continued interest
in functional programming The functional
orientation of many Java 8 features shows the
imprint of functional programming on Java itself
05 What is the main JVM language you use for your main application
90
300
242
236
183060
Java
Clojure
Kotlin
Groovy
Scala
Other
02About your tools
All rights reserved 2018 copy Snyk amp Java Magazine 13
06 Which IDE do you develop with
The graph here is consistent with other recent
surveys IntelliJ passing Eclipse in the last one
to two years and Apache NetBeans staying at
around 10 of the market The 45 total votes
of IntelliJ consist of 32 IntelliJ IDEA Ultimate
Edition (the paid version) 11 IntelliJ Community
Edition (the free version) and 2 Android Studio
users The Eclipse category includes Eclipse STS
JBoss tools Rational Application Developer and
other Eclipse-based tools
The numbers of Apache NetBeans users havenrsquot
altered much which suggests that the migration
from Oracle to the Apache Software Foundation
hasnrsquot affected its user base Itrsquos also worth
mentioning that Visual Studio Code has made an
appearance which although is only 1 shows itrsquos
starting to make its mark in the Java community
Also a tip of the hat to the lsquovivimemacsetcrsquo
group who are probably reading this report on a
tablet (carved out of stone)
3
38
11
0
10
20
30
40
45
1 1
ApacheNetBeans
EclipseIDE
IntelliJIDEA
ViVimEmacsetc
Visual StudioCode
OracleJDeveloper
PaidFree
All rights reserved 2018 copy Snyk amp Java Magazine 14
07 Which build tool do you use for your main project
In examining the numbers itrsquos important to note that we
asked for the principal build tool used We want to know
which build tool you rely on for your main project It can
also be interesting to know which build tools teams use
across all their projects but the plethora of answers tends
to dilute the usefulness of the responses As we can see
here Maven clearly dominates with a 31 ratio over itrsquos
closest rival Gradle Ant is still in use by 1 in 10 developers
whereas 1 in 20 use nothing
In a 2016 version of a similar survey by RebelLabs (2000
respondents) Maven stood at 68 and Gradle at 16
Gradlersquos improved adoption rate is due perhaps to the
addition of support for Kotlin as the scripting language
Gradle is also the default build engine for Android projects
However its progress against Maven has been slow
6
60
11
0
10
20
30
40
50
60
19
4
AntMaven Gradle NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 9
03 How do you plan to respond to Javarsquos new release cycle
While the Java 9 release brought with it some major
architectural changes it also introduced a new
release cadence in which Java SE versions ship every
six months Every two to three years a Long Term
Support (LTS) release offers longer-term support
such as security updates and so forth Note that
Java 9 is not an LTS release This question asks how
development teams will respond to this new release
cadence The responses were varied suggesting there
is still some uncertainty about how to proceed In fact
almost 1 in 3 developers donrsquot yet know how they will
respond to the new release cycle
We expect that in the forthcoming year best practices
will emerge and companies will settle into a preferred
migration cycle which likely will vary considerably by
industry As a result we expect that the ldquoDonrsquot know
yetrdquo figure will drop but we donrsquot know which of the
other buckets will see increases
Donrsquot know yet
Stay with long-term support (LTS) releases
Decide on a release-by-release basis
Always stay on the latest version of Java
28
8
30
34
10All rights reserved 2018 copy Snyk amp Java Magazine
Almost 4 in 10 respondents claim they do not use
enterprise Java Of those who do the majority are
on version 7 Java EE 8 was released in September
2017 so itrsquos promising to see that within less than a
year of release it is almost the most popular version
Unlike Java SE a release of Java EE takes a
longer to be adopted because it takes longer for
implementations to become available
In addition app server vendors require time to
adopt and implement the specifications
Wersquoll be keen to see how these numbers shift as
Jakarta EE 8 begins its rollout and adoption We
should spare a thought for the 2 who are
struggling on J2EE--a version whose last major
release was in 2003
04 What Java EE version do you use for your main application
2
27
10
0
10
20
30
40
22
2
38
Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot
11All rights reserved 2018 copy Snyk amp Java Magazine
Exactly 9 in 10 JVM users are using Java for their
main applications While many projects today
are defined as multilanguage or polyglot the
part on the JVM primarily runs Java
Despite this strong preference for Java JVM-
based developers have consistently shown great
interest in other JVM languages as supported
by the popularity of articles about them in Java
Magazine and on major programming sites
For the last few years the emerging and ldquohotrdquo
JVM language has been Kotlin from JetBrains
which continues to make steady progress It is
now a supported language for development on
Android and it is the second major language for
writing scripts for the build tool Gradle (behind
Groovy) All this adoption has move Kotlin past
Scala and just past Groovy in our survey
The 30 figure for Clojure is remarkably high
and signals--to us at least--the continued interest
in functional programming The functional
orientation of many Java 8 features shows the
imprint of functional programming on Java itself
05 What is the main JVM language you use for your main application
90
300
242
236
183060
Java
Clojure
Kotlin
Groovy
Scala
Other
02About your tools
All rights reserved 2018 copy Snyk amp Java Magazine 13
06 Which IDE do you develop with
The graph here is consistent with other recent
surveys IntelliJ passing Eclipse in the last one
to two years and Apache NetBeans staying at
around 10 of the market The 45 total votes
of IntelliJ consist of 32 IntelliJ IDEA Ultimate
Edition (the paid version) 11 IntelliJ Community
Edition (the free version) and 2 Android Studio
users The Eclipse category includes Eclipse STS
JBoss tools Rational Application Developer and
other Eclipse-based tools
The numbers of Apache NetBeans users havenrsquot
altered much which suggests that the migration
from Oracle to the Apache Software Foundation
hasnrsquot affected its user base Itrsquos also worth
mentioning that Visual Studio Code has made an
appearance which although is only 1 shows itrsquos
starting to make its mark in the Java community
Also a tip of the hat to the lsquovivimemacsetcrsquo
group who are probably reading this report on a
tablet (carved out of stone)
3
38
11
0
10
20
30
40
45
1 1
ApacheNetBeans
EclipseIDE
IntelliJIDEA
ViVimEmacsetc
Visual StudioCode
OracleJDeveloper
PaidFree
All rights reserved 2018 copy Snyk amp Java Magazine 14
07 Which build tool do you use for your main project
In examining the numbers itrsquos important to note that we
asked for the principal build tool used We want to know
which build tool you rely on for your main project It can
also be interesting to know which build tools teams use
across all their projects but the plethora of answers tends
to dilute the usefulness of the responses As we can see
here Maven clearly dominates with a 31 ratio over itrsquos
closest rival Gradle Ant is still in use by 1 in 10 developers
whereas 1 in 20 use nothing
In a 2016 version of a similar survey by RebelLabs (2000
respondents) Maven stood at 68 and Gradle at 16
Gradlersquos improved adoption rate is due perhaps to the
addition of support for Kotlin as the scripting language
Gradle is also the default build engine for Android projects
However its progress against Maven has been slow
6
60
11
0
10
20
30
40
50
60
19
4
AntMaven Gradle NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
10All rights reserved 2018 copy Snyk amp Java Magazine
Almost 4 in 10 respondents claim they do not use
enterprise Java Of those who do the majority are
on version 7 Java EE 8 was released in September
2017 so itrsquos promising to see that within less than a
year of release it is almost the most popular version
Unlike Java SE a release of Java EE takes a
longer to be adopted because it takes longer for
implementations to become available
In addition app server vendors require time to
adopt and implement the specifications
Wersquoll be keen to see how these numbers shift as
Jakarta EE 8 begins its rollout and adoption We
should spare a thought for the 2 who are
struggling on J2EE--a version whose last major
release was in 2003
04 What Java EE version do you use for your main application
2
27
10
0
10
20
30
40
22
2
38
Java EE 6 Java EE 7 Java EE 8Java EE 5J2EE We donrsquot
11All rights reserved 2018 copy Snyk amp Java Magazine
Exactly 9 in 10 JVM users are using Java for their
main applications While many projects today
are defined as multilanguage or polyglot the
part on the JVM primarily runs Java
Despite this strong preference for Java JVM-
based developers have consistently shown great
interest in other JVM languages as supported
by the popularity of articles about them in Java
Magazine and on major programming sites
For the last few years the emerging and ldquohotrdquo
JVM language has been Kotlin from JetBrains
which continues to make steady progress It is
now a supported language for development on
Android and it is the second major language for
writing scripts for the build tool Gradle (behind
Groovy) All this adoption has move Kotlin past
Scala and just past Groovy in our survey
The 30 figure for Clojure is remarkably high
and signals--to us at least--the continued interest
in functional programming The functional
orientation of many Java 8 features shows the
imprint of functional programming on Java itself
05 What is the main JVM language you use for your main application
90
300
242
236
183060
Java
Clojure
Kotlin
Groovy
Scala
Other
02About your tools
All rights reserved 2018 copy Snyk amp Java Magazine 13
06 Which IDE do you develop with
The graph here is consistent with other recent
surveys IntelliJ passing Eclipse in the last one
to two years and Apache NetBeans staying at
around 10 of the market The 45 total votes
of IntelliJ consist of 32 IntelliJ IDEA Ultimate
Edition (the paid version) 11 IntelliJ Community
Edition (the free version) and 2 Android Studio
users The Eclipse category includes Eclipse STS
JBoss tools Rational Application Developer and
other Eclipse-based tools
The numbers of Apache NetBeans users havenrsquot
altered much which suggests that the migration
from Oracle to the Apache Software Foundation
hasnrsquot affected its user base Itrsquos also worth
mentioning that Visual Studio Code has made an
appearance which although is only 1 shows itrsquos
starting to make its mark in the Java community
Also a tip of the hat to the lsquovivimemacsetcrsquo
group who are probably reading this report on a
tablet (carved out of stone)
3
38
11
0
10
20
30
40
45
1 1
ApacheNetBeans
EclipseIDE
IntelliJIDEA
ViVimEmacsetc
Visual StudioCode
OracleJDeveloper
PaidFree
All rights reserved 2018 copy Snyk amp Java Magazine 14
07 Which build tool do you use for your main project
In examining the numbers itrsquos important to note that we
asked for the principal build tool used We want to know
which build tool you rely on for your main project It can
also be interesting to know which build tools teams use
across all their projects but the plethora of answers tends
to dilute the usefulness of the responses As we can see
here Maven clearly dominates with a 31 ratio over itrsquos
closest rival Gradle Ant is still in use by 1 in 10 developers
whereas 1 in 20 use nothing
In a 2016 version of a similar survey by RebelLabs (2000
respondents) Maven stood at 68 and Gradle at 16
Gradlersquos improved adoption rate is due perhaps to the
addition of support for Kotlin as the scripting language
Gradle is also the default build engine for Android projects
However its progress against Maven has been slow
6
60
11
0
10
20
30
40
50
60
19
4
AntMaven Gradle NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
11All rights reserved 2018 copy Snyk amp Java Magazine
Exactly 9 in 10 JVM users are using Java for their
main applications While many projects today
are defined as multilanguage or polyglot the
part on the JVM primarily runs Java
Despite this strong preference for Java JVM-
based developers have consistently shown great
interest in other JVM languages as supported
by the popularity of articles about them in Java
Magazine and on major programming sites
For the last few years the emerging and ldquohotrdquo
JVM language has been Kotlin from JetBrains
which continues to make steady progress It is
now a supported language for development on
Android and it is the second major language for
writing scripts for the build tool Gradle (behind
Groovy) All this adoption has move Kotlin past
Scala and just past Groovy in our survey
The 30 figure for Clojure is remarkably high
and signals--to us at least--the continued interest
in functional programming The functional
orientation of many Java 8 features shows the
imprint of functional programming on Java itself
05 What is the main JVM language you use for your main application
90
300
242
236
183060
Java
Clojure
Kotlin
Groovy
Scala
Other
02About your tools
All rights reserved 2018 copy Snyk amp Java Magazine 13
06 Which IDE do you develop with
The graph here is consistent with other recent
surveys IntelliJ passing Eclipse in the last one
to two years and Apache NetBeans staying at
around 10 of the market The 45 total votes
of IntelliJ consist of 32 IntelliJ IDEA Ultimate
Edition (the paid version) 11 IntelliJ Community
Edition (the free version) and 2 Android Studio
users The Eclipse category includes Eclipse STS
JBoss tools Rational Application Developer and
other Eclipse-based tools
The numbers of Apache NetBeans users havenrsquot
altered much which suggests that the migration
from Oracle to the Apache Software Foundation
hasnrsquot affected its user base Itrsquos also worth
mentioning that Visual Studio Code has made an
appearance which although is only 1 shows itrsquos
starting to make its mark in the Java community
Also a tip of the hat to the lsquovivimemacsetcrsquo
group who are probably reading this report on a
tablet (carved out of stone)
3
38
11
0
10
20
30
40
45
1 1
ApacheNetBeans
EclipseIDE
IntelliJIDEA
ViVimEmacsetc
Visual StudioCode
OracleJDeveloper
PaidFree
All rights reserved 2018 copy Snyk amp Java Magazine 14
07 Which build tool do you use for your main project
In examining the numbers itrsquos important to note that we
asked for the principal build tool used We want to know
which build tool you rely on for your main project It can
also be interesting to know which build tools teams use
across all their projects but the plethora of answers tends
to dilute the usefulness of the responses As we can see
here Maven clearly dominates with a 31 ratio over itrsquos
closest rival Gradle Ant is still in use by 1 in 10 developers
whereas 1 in 20 use nothing
In a 2016 version of a similar survey by RebelLabs (2000
respondents) Maven stood at 68 and Gradle at 16
Gradlersquos improved adoption rate is due perhaps to the
addition of support for Kotlin as the scripting language
Gradle is also the default build engine for Android projects
However its progress against Maven has been slow
6
60
11
0
10
20
30
40
50
60
19
4
AntMaven Gradle NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
02About your tools
All rights reserved 2018 copy Snyk amp Java Magazine 13
06 Which IDE do you develop with
The graph here is consistent with other recent
surveys IntelliJ passing Eclipse in the last one
to two years and Apache NetBeans staying at
around 10 of the market The 45 total votes
of IntelliJ consist of 32 IntelliJ IDEA Ultimate
Edition (the paid version) 11 IntelliJ Community
Edition (the free version) and 2 Android Studio
users The Eclipse category includes Eclipse STS
JBoss tools Rational Application Developer and
other Eclipse-based tools
The numbers of Apache NetBeans users havenrsquot
altered much which suggests that the migration
from Oracle to the Apache Software Foundation
hasnrsquot affected its user base Itrsquos also worth
mentioning that Visual Studio Code has made an
appearance which although is only 1 shows itrsquos
starting to make its mark in the Java community
Also a tip of the hat to the lsquovivimemacsetcrsquo
group who are probably reading this report on a
tablet (carved out of stone)
3
38
11
0
10
20
30
40
45
1 1
ApacheNetBeans
EclipseIDE
IntelliJIDEA
ViVimEmacsetc
Visual StudioCode
OracleJDeveloper
PaidFree
All rights reserved 2018 copy Snyk amp Java Magazine 14
07 Which build tool do you use for your main project
In examining the numbers itrsquos important to note that we
asked for the principal build tool used We want to know
which build tool you rely on for your main project It can
also be interesting to know which build tools teams use
across all their projects but the plethora of answers tends
to dilute the usefulness of the responses As we can see
here Maven clearly dominates with a 31 ratio over itrsquos
closest rival Gradle Ant is still in use by 1 in 10 developers
whereas 1 in 20 use nothing
In a 2016 version of a similar survey by RebelLabs (2000
respondents) Maven stood at 68 and Gradle at 16
Gradlersquos improved adoption rate is due perhaps to the
addition of support for Kotlin as the scripting language
Gradle is also the default build engine for Android projects
However its progress against Maven has been slow
6
60
11
0
10
20
30
40
50
60
19
4
AntMaven Gradle NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 13
06 Which IDE do you develop with
The graph here is consistent with other recent
surveys IntelliJ passing Eclipse in the last one
to two years and Apache NetBeans staying at
around 10 of the market The 45 total votes
of IntelliJ consist of 32 IntelliJ IDEA Ultimate
Edition (the paid version) 11 IntelliJ Community
Edition (the free version) and 2 Android Studio
users The Eclipse category includes Eclipse STS
JBoss tools Rational Application Developer and
other Eclipse-based tools
The numbers of Apache NetBeans users havenrsquot
altered much which suggests that the migration
from Oracle to the Apache Software Foundation
hasnrsquot affected its user base Itrsquos also worth
mentioning that Visual Studio Code has made an
appearance which although is only 1 shows itrsquos
starting to make its mark in the Java community
Also a tip of the hat to the lsquovivimemacsetcrsquo
group who are probably reading this report on a
tablet (carved out of stone)
3
38
11
0
10
20
30
40
45
1 1
ApacheNetBeans
EclipseIDE
IntelliJIDEA
ViVimEmacsetc
Visual StudioCode
OracleJDeveloper
PaidFree
All rights reserved 2018 copy Snyk amp Java Magazine 14
07 Which build tool do you use for your main project
In examining the numbers itrsquos important to note that we
asked for the principal build tool used We want to know
which build tool you rely on for your main project It can
also be interesting to know which build tools teams use
across all their projects but the plethora of answers tends
to dilute the usefulness of the responses As we can see
here Maven clearly dominates with a 31 ratio over itrsquos
closest rival Gradle Ant is still in use by 1 in 10 developers
whereas 1 in 20 use nothing
In a 2016 version of a similar survey by RebelLabs (2000
respondents) Maven stood at 68 and Gradle at 16
Gradlersquos improved adoption rate is due perhaps to the
addition of support for Kotlin as the scripting language
Gradle is also the default build engine for Android projects
However its progress against Maven has been slow
6
60
11
0
10
20
30
40
50
60
19
4
AntMaven Gradle NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 14
07 Which build tool do you use for your main project
In examining the numbers itrsquos important to note that we
asked for the principal build tool used We want to know
which build tool you rely on for your main project It can
also be interesting to know which build tools teams use
across all their projects but the plethora of answers tends
to dilute the usefulness of the responses As we can see
here Maven clearly dominates with a 31 ratio over itrsquos
closest rival Gradle Ant is still in use by 1 in 10 developers
whereas 1 in 20 use nothing
In a 2016 version of a similar survey by RebelLabs (2000
respondents) Maven stood at 68 and Gradle at 16
Gradlersquos improved adoption rate is due perhaps to the
addition of support for Kotlin as the scripting language
Gradle is also the default build engine for Android projects
However its progress against Maven has been slow
6
60
11
0
10
20
30
40
50
60
19
4
AntMaven Gradle NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 15
08 Which Static quality tools do you use
Before you send that email or tweet trying to fix the
internet note that this is a multiple choice question
so numbers here are not do not add up to 100 One
take away from this data is that there are really only a
handful of static quality tools in popular use with no
real surprises at the top SonarQube Findbugs and
Checkstyle dominate
Possibly most surprising is that 36 of respondents
donrsquot use any static quality tool whatsoever This is
most surprising as we expect that static quality tools
are the norm
0 10 20 30
27
6
3
39
23
15
8
SonarQube
Findbugs
Checkstyle
PMD
Cobertura
Emma
JDepend
40
Coverity
Other
2
8
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 16
09 Do you use static security tools in your testing
Security testing is becoming a hot topic that is headlined by
significant breaches across many different companies Yet still
today most sites do not use any static security tool whatsoever
In fact 72 of respondents almost three-quarters donrsquot use
any static tooling anywhere in their pipeline potentially leaving
them open to known vulnerabilities We hope a wider adoption
of security tools will appear in future surveys
Do use a security tool
Do not use a security tool
28
72Do use a security tool
Do not use a security tool
28
72
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 17
10 Which CI Server do you use
As most developers would expect Jenkins wins the CI
server race with a whopping 57 market share Itrsquos closest
competitor is ldquononerdquo at 21 of the vote which almost
matches the rest of the competition combined (at 22) The
remaining CI servers have less than 5 of the market share
each with Hudson the elderly relative of Jenkins struggling
on at 2 Itrsquos worth mentioning VSTS Microsoft VSTS
(Visual Studio Team Server) which is not usually thought of
in the JavaJVM space clocks in at 2
Most developers we believe expect that nearly all sites
today use continuous integration So itrsquos startling to see
that 1 in 5 applications do none at all Even personal projects
today use CI (such as Travis CI and CircleCI) which are
made available on public project-hosting sites such as
Bitbucket and GitHub If yoursquore one of the 21 who donrsquot
use CI on your projects wersquod love to hear why
0 10 20 30
2
2
2
1
57
5
4
CircleCI
Travis CI
Jenkins
Bamboo
TeamCity
Hudson
VSTS
40
Other
None
5
21
50
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 18
11 Which Source Code Management platform does your team use for your main project
As expected Git has convincingly won the
horse race in source code management If
you were in any doubt as to the extent of its
dominance almost 3 in 4 of our respondents
work in teams that use Git to manage their
codebases Subversion now covers the
majority of the remaining respondents and
somehow in 2018 3 of people still donrsquot
use source code management whatsoever
Sometimes there are no words
3
74
16
7
None
Other
Subversion
Git
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 19
12 Which code repository do you use for your main project
With code repositories the story is quite
different from SCM much more spread out
with GitHib and Bitbucket neck-and-neck at
25 each and GitLab close behind at 20
We could call those the ldquobig threerdquo of project
hosting Note that this question is not just for
public projects (in which we expect GitHub
would have a more significant lead) but also
for public and private project hosting
Microsoftrsquos recent acquisition of GitHub
might affect its future adoption rate and
wersquoll know more in future surveys Of the
25 share that GitHub has just over half
(52) of those respondents are using the
public version whereas the remainder (48)
are using the private GitHub Enterprise on-
premises offering VSTS makes up part of the
ldquootherrdquo bracket with 2
25
18
12
Other
None
GitLab
Bitbucket
GitHub
25
20
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 20
13 Which private binaryartifact repository do you use
Most sites donrsquot use a packaged artifact
repository--in theory because they donrsquot have
the need Those that like the convenience
it offers choose the well established Nexus
which is heavily focused on the JVM
ecosystem followed by JFrogrsquos Artifactory
which is somewhat more popular across
polyglot ecosystems
None
Other
Artifactory
Nexus38
22
33
7
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 21
14 Which testing technologies do you use
With an amazing (almost) 4 in 5 people using JUnit
and TestNG used by 10 more itrsquos clear that unit
testing by far the most dominant testing practice in the
JVM ecosystem (Respondents could choose multiple
answers so totals exceed 100) As to mocking itrsquos
now clear that Mockito has emerged as the preferred
mocking framework
With JMeter being used by almost 1 in 4 respondents and
Gatling by 5 we can see that the need for performance
testing is becoming much better appreciated Selenium
takes an impressive 29 Unlike the results for static
quality tools only 10 of respondents say they donrsquot use
any testing tool whatsoever
Hang onhellip 1 in 10 people donrsquot use a testing tool We
should move on before we lose faith in humanity
78
0 20 40 60
45
29
11
6
5
22
10
10
6
JUnit
Mockito
Selenium
JMeter
Cucumber
TestNG
PowerMock
Spock
Arquillian
Gatling
80
Other
None
6
10
10 30 50 70
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
03About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 23
From our data we can say that 57 of respondents use a
cloud platform of some sort
If we consider only the set of respondents who do use
cloud platforms we can see Amazon Web Services (AWS)
leading the pack with almost two-thirds of the votes
Microsoft Azure and the Google Cloud Platform are next
taking 18 and 20 respectively and Red Hat Openshift
and Oracle Cloud are making inroads
15 Which cloud platforms do you use
Do you use cloud platforms
No we donrsquot Yes we do
57
43
0 10 20 30
20
4
4
63
18
10
6
AmazonAWS
GoogleCloud
Azure
Red HatOpenShift
OracleCloud
IBM Cloud
Pivotal CloudFoundry
40
Cloud Foundry
Other
3
10
50 60
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 24
16 Which cloud approaches do you use
Containers lead the way on 43 while VMs stay in the game pretty at 33
As a relatively new technology ServerlessFass comes in strongly with
almost 1 in 10 respondents adopting this approach PaaS which has been
around a lot longer sits on a similar split at 10 1 in 3 respondents donrsquot use
any cloud approach at all
10
43
33
0
10
20
30
40
9
33
1
VMs Containers ServerlessFaaS
PaaS NoneOther
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 25
Almost 1 in 2 respondents donrsquot use any continuous deployment
or release automation tools whatsoever This might even be
higher as almost 1 in 5 donrsquot have any idea which tools are used
in CD or release automation Itrsquos somewhat surprising to see
bash as popular as Chef and Puppet
Actually whom are we kidding--Everyone loves bash
Ansible is the leading CD tool at 16
17 Which continuous deployment or release automation tools do you use
12
85
0
10
20
30
40
16
43
18
9
Chef PuppetAnsible bash We donrsquotNo ideaOther
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
04About your application
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 27
In todayrsquos polyglot world it would be naive to assume that
JVM languages are the only languages used in JVM apps
In fact more than half of JVM applications use front-end
JavaScript as well 1 in 5 use Python and almost 1 in 4 use
Nodejs As yoursquod expect many projects use SQL as well
18 Which other (non-JVM) languages does your application use
0 10 20 30
23
9
5
56
21
10
9
SQL
Nodejs
Python
C
C
PHP
Go
40
Other
None
19
8
50 60
Front endJavaScript 57
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 28
Few words can better express the Spring domination in the Java
ecosystem than this graph With 1 in 10 developers using Spring
Boot in their applications itrsquos interesting to see it has overtaken
the Spring MVC framework for the first time JSF is the closest
entrant with a respectable 19 and Struts despite a constant
stream of Remote Code Execution vulnerabilities in the news
is a strong fourth with almost 4 in 10 developers adopting it
More than 1 in 5 developers likely boast about how small their
applications are not needing a web framework at all
19 Which Web Frameworks do you use
40
0 10 20 30
36
19
5
3
3
2
6
9
3
3
Spring MVC
Spring Boot
JSF
Vaadin
GWT
Play
Struts
Grails
JHipster
DropWizard
Wicket
40
None
Other
21
8
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 29
More than 1 in every 2 developers use
Hibernate in their applications Almost 1 in
4 developers are happy with plain old JDBC
and Spring developers of course have the
option of using Spring JDBC template which
is used by 23 1 in 5 developers donrsquot use any
ORM framework whatsoever to access their
data (Developers could choose more than
one answer so totals do not equal 100)
20 Which ORM frameworks do you use
10
23
54
0
10
20
30
40
23
6
20
6
Hibernate Plain JDBC Spring JDBCTemplate
EclipseLink
MyBatis NoneOther
50
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 30
Once again Oracle Database takes the top
spot with almost 3 in 10 applications using
it in production MySQL and PostgreSQL
are strong competitors taking 21 and
20 respectively MongoDB is the highest
NoSQL database in use with 5
21 Which database do you use in production
27
0 10 20 30
4
5
21
20
4
6
2
1
1
9
DB2
Oracle Database
MongoDB
MySQL
Cassandra
PostgreSQL
H2
Redis
MS SQL
None
Other
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 31
More than 4 in 10 respondents use Tomcat as their
application server of choice The fast lightweight open
source community favorite has led the pack for a long
time now and it doesnrsquot look like thatrsquos going to change
any time soon JBoss and Wildfly are not too far behind
at 15 In the larger enterprise app server category
WebLogic has a slight lead over WebSphere
The ldquoOtherrdquo category contains TomEE and Liberty Profile
at 1 each which lead that group
22 Which application server do you use in production for your main application
0 10 20 30
41
5
5
15
9
6
Tomcat
JBossWildfly
Jetty
Oracle WebLogic
IBM WebSphere
GlassfishPayara
40
Other
None
6
13
50
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 32
Despite the obvious dangers more than one-third of
respondents develop on a different server from the one
they use in production--trading the possible cost of
failures for the convenience Surprisingly those who
state they use different application servers (or none)
in development actually have a wide variety of apps
and servers in production We were expecting mostly
the larger monolith-suited app servers that could cause
developers pain to use locally but the ratios were
comparable
23 Do you develop on the same application server you use in production
NoYes
64
36
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 33
It would be interesting to know how many people had to check to
see how many direct dependencies their application has Irsquod bet
it was the vast majority of you Yoursquore lucky I didnrsquot ask for direct
and transitive dependencies too In fact almost 1 in 4 respondents
openly state they donrsquot know how many dependencies they have
This might be because of the way the application is distributed
across a more complex build system
We can see from the results that fewer than 1 in 20 respondents
donrsquot use any open source dependencies whereas the
overwhelming 72 do If we remove those who donrsquot know
we can see that 95 or 19 of 20 respondents use open
source dependencies in their applications This shows how far
open source adoption has come as well as the need for us to
ensure these third-party libraries provide security quality and
availability we require from our application as a whole
24 How many open source (direct) dependencies does your main application have
1518
15
0
10
20
30
4
2523
6-101-50 10-20 20+ Donrsquot know
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
05About your processes
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 35
Worryingly almost 1 in 4 respondents (24) donrsquot know how
often their code is released This again might be due to the
complexity of the application and perhaps different services
are being released at various times
Almost 1 in 10 respondents are brave enough to release
multiple times a day but then again when you release that
often bravery is replaced with consistency The majority of
respondents release once every couple of weeks to once a
month More than 1 in 10 respondents release once every
six months or less Better clear my plans for the week wersquore
releasing on Monday
25 How often do you release new versions of your code
Do you know
No Yes
76
24
7
0 10 155 20
3
12
18
13
3
1
18
14
7
4
Once a day
Multiple times a day
Once a week
Once a month
Once every 2 weeks
Every couple of months
A few times a week
Once a quarter
Every 6 months
Once a year
Less than once a year
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 36
About half the sites audit their code And only almost 1
in 4 do so more than once a quarter Whether the audit
be for security performance or quality itrsquos good to have a
clear out With half of the respondents not auditing their
code whatsoever just imagine the gremlins that could
exist in those codebases
26 How often do you audit your code
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
50
24
11
6
63
Once a month or more
Every couple of years
Every year
Every 6 months
Every quarter
We donrsquot
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
06About you
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 38
27 Where do you do your development work
Not much to say here other than we expected
more respondents to come from North America
Perhaps theyrsquove lost all confidence in
voting altogether
Itrsquos great to see representation from all corners
of the globe Hmmm do globes have corners
1 55
5322
9
13
2
2
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 39
28 How would you describe yourself
We can see the vast majority of respondents
are technical with 87 either being developers
team leaders or architects More than half
state they are software developers And 2 of
C-level respondents took the time out of their
schedules to take our quiz
0 10 20 30
4
12
3
2
58
17
C-level
Consultant
SoftwareDeveloper
Architect
TeamLeader
Hobbyist
40
ProjectManager
Other
2
2
50
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 40
Security is often considered one of the dark arts Many
developers learn only lsquojust enoughrsquo to get by and allow
them to deliver their feature work meaning the real
experts are those who have a dedicated security career
As developers are owning more and more application
security responsibility being owned by developers
this is becoming a hot topic In our survey1 of
respondents state they have zilch none zero out of ten
security knowledge and are just happily writing their
struts applications Ok we made that last bit up The
same number state they are true security experts and
modestly gave themselves 10 out of 10 The majority sit
around the 5-7 mark with 6 in 10 respondents stating
theyrsquore no expert but certainly not novices
29 How do you rank your security expertise
0
10
15
5
20
21
5
10
20
2
1
12
19 19
9
0 1 2 3 4 5 6 7 8 9 10
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 41
Programming remains a profession associated
with the young and early middle-aged 38 of
readers are younger than 35 35 are between
35 and 45 and only 25 are older than that
Survey data shows a correlation between
positions of greater responsibility and age
suggesting that the lower numbers after
middle age are in part due to programmers
moving into management positions
30 How old are you
0 10 20
1
17
16
10
4
1
19
19
7
4
Under 21
21-30
41-45
36-40
46-50
31-35
51-55
56-60
60+
Prefer not to say
5 15
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 42
There was quite a range of experience among our
respondents as you can see from the graph but we
wanted to also look at the median ages of our job
roles back from question 28 to see when people
typically receive promotions The results are very
interesting with the median developer having 10
yearsrsquo experience team leaders 11 yearsrsquo experience
architects with 14 years and finally C-levels with 12
yearsrsquo experience
31 How many years of paid professional experience with Java do you have
2222
28
0
10
20
30
7
17
3
6-101-50 11-15 16-20 21-25
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 43
23
32
27
0
10
20
30
16
2
100-99910-990-9 1000+ Unemployed
40
With almost 40 of respondents working for companies that have less than 100
employees we see that Java continues to have a significant role in startups and
in small-to-medium businesses This finding is at odds with the perception of
Java being the language for enterprise apps
It is that certainly but definitely not only that
32 What is the size of your company
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 44
StackOverflow remains the preferred forum for asking
one-off questions and grepping replies to previous
answers for useful information Oraclersquos excellent
documentation is a natural place for reference Java
Magazine presents long-form in-depth articles for
readers wishing to fully understand a topic and
YouTube does the equivalent in video form DZone
and to a lesser extent InfoQ overlap all these areas
(Respondents could choose multiple answers)
33 Where do you principally get information about Java online
0 20 40 60
62
38
10
8
41
32
24
18
StackOverflow
Oraclersquos documentation
Java Magazine
DZone
YouTube
InfoQ
Java Ranch
Vimeo
Other
1
6
10 30 50 70
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 45
JUGs remain an underused resource in the community
with only 1 in 5 developers attending one meeting a year
The overwhelming two-thirds of respondents are not
members of any JUG whatsoever If geography is a factor
for those developers the Virtual Java User Group is an
excellent solution
34 Are you a member of a Java User Group (JUG)
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
Yes and I attend most meetings
Yes and I attend 1-2 meetingsper year
Yes but I donrsquot attend meetings
No13
7
67
13
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
All rights reserved 2018 copy Snyk amp Java Magazine 46
Open source remains what it has primarily been from the start the
domain of a small minority of dedicated developers
The existence of GitHub and other easily accessible code repositories
has helped developers to contribute their code but with more than 1
in 2 developers never having contributed to an open source project
therersquos still a lot of work to be done You should want to contribute
back so that rather than just being one of the 19 in 20 developers
using open source you can one day be one of the 19 in 20 developers
contributing to open source
35 How much do you contribute to open source
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
5521
5
2
3
I (co)maintain multiple opensource projects
I (co)maintain 1-2 open sourceprojects
Member of an open sourcefoundationcompany
Frequent pull requests
I opened 1-2 pull requests
Never have
6
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
47All rights reserved 2018 copy Snyk amp Java Magazine
V 7 in 10 developers use the Oracle JDK in production
V 2 in 10 developers use OpenJDK in production
V 8 in 10 developers are on Java SE version 8 in production
V 1 in 10 developers have migrated to version 9 or higher
V Almost 3 in 10 developers dont know how to handle the new Java release cadence
V Over 3 in 10 developers plan to only stay on the LTS releases of Java
V Only 1 in 10 developers plan to stay on the latest version of Java
V Almost 5 in 10 developers are on Java EE 7 or 8
V Java EE 7 is still the most popular Enterprise version of Java with almost 3 in 10 developers using it
V 9 in 10 JVM developers use Java
V Kotlin edges past Groovy and Scala in language usage on 242
V 9 in 20 developers now use IntelliJ IDEA
V 6 in 10 developers use Maven to build their main project
V Over 7 in 10 developers still dont use static security tools
V Almost 6 in 10 developers use Jenkins in CI
V Almost 3 in 4 developers use Git as their SCM
V GitHub BitBucket and GitLab take an almost even share of the code repository market
V Almost 8 in 10 developers use JUnit
About your JDK About your Tools
Summary
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
48All rights reserved 2018 copy Snyk amp Java Magazine
V Almost 6 in 10 developers also have front-end JavaScript in their application
V Almost 1 in 4 developers also use Node in their application
V 4 in 10 developers use Spring Boot
V Over 1 in 2 developers use Hibernate in their applications
V Almost 3 in 10 developers use Oracle Database in production
V 4 in 10 developers use Tomcat in production
V 1 in 4 developers have no idea how many OS dependencies their application brings in
V 19 in 20 developers use open source dependencies in their application
V 1 in 10 developers release their code multiple times a day
V Half of developers dont have their codebases audited
About your application
About your processes
V Over 6 in 10 developers who use cloud platforms deploy on AWS
V Over 4 in 10 developers use Containers
V Over 4 in 10 developers use no CD tools whatsoever
About your platform
